DEV Community

yayabobi
yayabobi

Posted on • Originally published at myrror.security

A Step-by-Step Guide to Running a SAST Test

Insecure code has become one of the biggest threats to modern software development, and AI may be making it worse. As developers are increasingly attracted to the convenience of machine-generated snippets, more AI-generated code creeps into projects, which can introduce subtle but dangerous flaws. 

On average, a typical software project hides 40 vulnerabilities in its first-party code, with a third of those being high-severity. Ignoring them isn't an option. If you're not scanning your code to catch these flaws early, you're inviting data breaches, compliance failures, or costly downtime (or all of these three simultaneously).  Learning how to run a SAST test is the first step in dealing with this problem. 

What Is Static Application Security Testing (SAST)? - Parasoft

Source

What is a SAST Test and How it Works

Static Application Security Testing (SAST) is a white-box testing method for identifying and analyzing vulnerabilities in your code. It scans your source code, bytecode, or binaries without running the application. This testing type can even scan incomplete code, allowing you to address vulnerabilities before compilation and deployment. Some of the security risks SAST can detect include: 

  • SQL injection
  • Cross-site scripting (XSS)
  • Hardcoded secrets
  • Insecure deserialization
  • Buffer overflows
  • Misconfigurations in security-related code

Source

SAST is most effective at spotting vulnerabilities in your own code because it directly analyzes your code's logic and structure. This capability helps catch issues like insecure coding patterns or logic errors that are harder to spot in compiled or third-party code. While it can detect vulnerabilities in third-party libraries, your own code is the primary focus since those libraries require more context on their usage.

The real value of SAST comes from catching security flaws early in the development process, reducing the time and cost of addressing issues later on. When integrated into a CI/CD pipeline, SAST can run automatically, keeping your codebase under continuous security checks as your team works through the software development life cycle (SDLC). 

How Does SAST Fit into Supply Chain Security?

Assessing software supply chain risks goes beyond just securing third-party libraries and dependencies. While SCA (Software Composition Analysis) tools zero in on vulnerabilities in external components, SAST focuses on your first-party code -- the code your team creates -- and analyzes it before execution. DAST (Dynamic Application Security Testing) complements this by testing the application during runtime, catching vulnerabilities that only surface when the code is actively running, like insecure API usage. 

Source

It's important to note that no single tool provides complete coverage. By integrating SAST, DAST, and SCA throughout your SDLC, you can cover all your bases---catching static flaws, uncovering runtime issues, and managing third-party risks. 

Before automating your security testing across the SDLC, consider creating a Software Bill of Materials (SBOM) that lists all your system components. While the SBOM itself doesn't identify vulnerabilities, it provides valuable context for your security tools, enabling them to spot and resolve vulnerabilities more efficiently. 

Increasingly sophisticated attacks are shaking the foundations of software supply chain security as we know it, making it increasingly difficult to predict and protect against new threats. Think Log4Shell or SolarWinds -- two attacks that exploited vulnerabilities in widely used software and affected millions of people, leading to unauthorized access and espionage. 

As attackers continue to leverage unexpected gaps, you need a layered approach and the most advanced technology to assess cyber risk and protect your code from every angle.

Source

Step-by-Step Guide to Running a SAST Test

1. Identify the Scope of the Code

Before starting a SAST test, clearly define the scope of the code to be analyzed. Determine whether you are scanning the entire codebase or just specific modules. Consider focusing on high-risk areas, such as code handling sensitive data or more vulnerable legacy components. The scope should align with the project's current phase and risk profile.

2. Select the Right SAST Tool

Look for a SAST tool that supports the programming languages in your codebase, offers integration with your existing development stack (e.g., IDEs, CI/CD pipelines), and provides detailed reporting features. Ensure the tool generates actionable insights, such as vulnerability severity ratings and remediation suggestions. Exportable reports for compliance audits may also be helpful. 

3. Set Up the Testing Environment

Once you've selected your SAST tool, install it on a dedicated server or a local machine or integrate it directly into your CI/CD pipeline. If applicable, use Docker or Kubernetes to deploy the tool for consistency across environments.

Grant read-only access to your repositories, allowing the tool to pull all necessary code, dependencies, and submodules. You may need API tokens or SSH keys to secure access to version control systems.

Store scan results in secure, encrypted storage -- locally or using cloud solutions like AWS S3 with encryption. Plan for scalable storage to handle extensive reports and set up backups, especially for sensitive codebases.

Source

4. Customize SAST Settings

Customizing your SAST tool ensures that it identifies relevant vulnerabilities without unnecessary noise. Adjusting the sensitivity, setting inclusion/exclusion filters, and defining security rulesets aligned with your organization's risk tolerance will improve the accuracy of test results. Consider the following when adjusting settings:

  • File Exclusions---To speed up scans, exclude low-risk files or directories, such as configuration files or test data.
  • Severity Levels -- Fine-tune severity thresholds to focus on high-priority issues, ignoring low-severity vulnerabilities if they pose minimal risk.
  • Custom Rules -- For unique business logic or proprietary code, create custom security rules that reflect the specific needs of your application.

For projects requiring compliance with security standards like OWASP Top 10, PCI DSS, or HIPAA, activate rule sets aligned with these frameworks to flag relevant issues.

Here's an example YAML configuration for setting file exclusions and severity levels:

sast:

  exclude_paths:

    -- "tests/"

    -- "docs/"

  severity_threshold: "high"

  custom_rules:

    -- id: "CUST-001"

      description: "Custom rule for sensitive data exposure"

      pattern: "secret_key"

      severity: "high"

5. Execute the SAST Test and Review Results

Now that your environment is set up and configured, it's time to initiate the SAST scan. Depending on the tool and integration, this might involve triggering a manual scan or automating it through your CI/CD pipeline after each code commit or pull request.

For example, here's a snippet of how you might execute a SonarQube scan from the command line:

sonar-scanner

  -Dsonar.projectKey=my_project_key

  -Dsonar.sources=./src

  -Dsonar.host.url=http://localhost:9000

  -Dsonar.login=your_token

When the scan completes, you'll receive a report detailing the vulnerabilities found, categorized by critical, high, medium, or low severity. Focus on addressing critical and high-severity issues first, as they pose the most significant risk. Review the details of each vulnerability, including its location in the codebase, a description of the problem, and suggested remediation steps.

Be mindful of the false positives that SAST often pings. These are flagged issues that may not be actual vulnerabilities. Cross-check the flagged issues with known safe coding practices to filter out noise and consider leveraging additional tools like DAST for runtime verification. 

6. Remediation and Re-Testing

After you address the initial round of vulnerabilities, re-run the SAST test to confirm that the issues have been adequately resolved. This step is critical to verify that you didn't introduce any new vulnerabilities during remediation. 

Source

Closing Security Gaps with Myrror

The reality is the earlier you catch vulnerabilities, the fewer headaches you'll face. With the increasing complexity of modern software, your first-party code can be a minefield. SAST can undoubtedly help, but it has limitations and should be combined with other testing methods and tooling.

While SAST focuses on locking down your code, Myrror picks up where it leaves off, continuously monitoring third-party dependencies that can introduce risks after the SAST phase. It ensures that external libraries aren't quietly opening the door to new vulnerabilities even after your code is secure. 

The Myrror platform offers unmatched insight into supply chain vulnerabilities and attacks through its three advanced engines, which improve detection, prioritization, and mitigation. Its patent-pending Binary-to-Source technology can identify attacks even without previously known vulnerabilities, allowing it to detect even the most sophisticated threats with precision. Book a demo with Myrror Security to fortify your software supply chain.

Top comments (0)